sb-as logo
Story image

Chinese websites targeted in drive-by download attack that drops DDoS bot

27 Feb 2018

Chinese websites have recently been targeted by a drive-by download campaign that dropped a Distributed Denial of Service (DDoS) bot by the name of Avzhan, a malware that has been around since 2010.

The most recent attacks were spotted by Malwarebytes Labs researchers, who say that the bizarre patterns of this particular drive-by download were not advanced, but they did demonstrate the use of several different exploits to distribute malware.

“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” Malwarebytes researcher Jérôme Segura explains.

The researchers spotted the campaign after analysing compromised sites that loaded external content through iframes and scripts.

Some of those sites hosted cryptomining malware, however some redirects lead to a server that hosts several exploits.

Those exploits include three that target vulnerabilities in ActiveX, Flash Player and Internet Explorer.

The ActiveX vulnerability (CVE-2008-2551) is an old vulnerability that affects the C6 Messenger ActiveX control. The malware creator used old malware code and changed the download URL to point to their own malware.

The Flash vulnerability (CVE-2015-5119) is also an older vulnerability that affects all versions of flash up to version Malwarebytes researchers say this code was taken from a proof-of-concept and in this instance, causes instability in the browser which may cause it to crash.

The Internet Explorer vulnerability (CVE-2016-0189), also known as ‘God Mode’, was ‘commented out’, researchers explain.

All vulnerabilities were exploited to drop the Avzhan DDoS bot, which registers itself as a Windows Service.

Although researchers didn’t catch the bot in the act of conducting DDoS attacks, its capability is clearly evident in the code.

The malware has been lurking for several years but researchers say it is anything but sophisticated. It has not really changed – instead only modifications were made to hide the malware better and to add further configuration.

“Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same,” Segura says.

“Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.”

Story image
New year, time to update your passwords
The most popular passwords of 2020 were easy-to-guess number combinations, such as 123456, the word password, qwerty, iloveyou, and other uncomplicated options.More
Story image
Alibaba Cloud and LGMS tackle hybrid and multi-cloud security
Alibaba Cloud and LGMS, a cybersecurity consulting company, are teaming up to tackle the challenge of security around digital transformation and hybrid cloud.More
Story image
Cybersecurity spending to increase following SolarWinds hacking
Hackers breached software provider SolarWinds, directly infecting the company’s Orion software as well as several local, state and federal agencies.More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More
Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More